CN105205400B - Module loading method and device and electronic equipment - Google Patents
Module loading method and device and electronic equipment Download PDFInfo
- Publication number
- CN105205400B CN105205400B CN201510544043.0A CN201510544043A CN105205400B CN 105205400 B CN105205400 B CN 105205400B CN 201510544043 A CN201510544043 A CN 201510544043A CN 105205400 B CN105205400 B CN 105205400B
- Authority
- CN
- China
- Prior art keywords
- module
- new process
- address
- new
- load address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a module loading method, a module loading device and electronic equipment, wherein the method comprises the following steps: detecting whether a new process is started; if the new process is detected to be started, generating a new loading address of a module of the new process according to a preset address generation rule; and loading the module of the new process according to the new loading address and the size of the memory space occupied by the module. By applying the embodiment of the invention, before the module of the new process is loaded according to the preassigned loading address, the new loading address of the module of the new process is generated, and the module is loaded according to the generated new loading address. Even if a hacker obtains a new load address of the module, the hacker can hardly obtain the pre-specified load address of the module through the new load address, and further cannot search an instruction fragment suitable for attack through the pre-specified load address to attack, so that the protection of the computer against ROP attack is improved, and the safety of the computer is improved.
Description
Technical field
The present invention relates to computer security technique field, more particularly to a kind of module loading method, apparatus and electronic equipment.
Background technology
Windows XP systems are that Microsoft releases the operating system used for PC.Hacker is to meter in order to prevent
The attack of calculation machine, Microsoft are proposed a security tool EMET (Enhanced Mitigation Experience
Tool is experienced in Toolkit, enhancing mitigation).Its basic functional principle is:
According to the size of module preassigned address and committed memory space to process, the module loading of process is arrived
In memory;After the module loading to memory by process, the address and memory headroom that are loaded into the module in memory are carried out
Application, pressure system carry out randomization, the destination address after being randomized to the address for being loaded into the module in memory;
According to the size of destination address and committed memory space after randomization, the module of process is re-loaded in memory;It will be into
Above-mentioned application is distributed in the address and memory headroom that the module original of journey occupies.
But module is loaded using EMET security tools, to ROP (Return-oriented programming,
Return be oriented to programming) attack protective it is bad, be mainly reflected in using EMET security tools by the module of process according to pre-
It is empty to the address and memory for occupying the module original of process to be loaded into memory for the first size of specified address and committed memory space
Between re-start distribution during, hacker possible with ROP attack technologies obtained from memory process module original occupy
Address, and then by the address find suitable for attack instruction segment, and by each instruction segment searched out splice
Get up, is attacked.
Invention content
The embodiment of the present invention is designed to provide a kind of module loading method, apparatus and electronic equipment, is calculated with improving
The protection that machine attacks ROP.
In order to achieve the above objectives, the embodiment of the invention discloses a kind of module loading methods, including:
New process initiation is detected whether;
If having detected new process initiation, carried out according to preassigned load address in the module to the new process
Before load, according to pre-set address create-rule, the new load address of the module of the new process is generated;
According to the size in the module committed memory space of the new load address and the new process that are generated, described in load
The module of new process.
Optionally, the new load of the module of the new process is generated according to pre-set address create-rule described
Before address, further include:
Judge whether the new process is to need process to be protected;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
In the case where the new process is to need process to be protected, according to pre-set address create-rule, generate
The new load address of the module of the new process.
Optionally, described to judge whether the new process is need process to be protected, including:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If
Have, is then determined as the new process needing process to be protected.
Optionally, described according to the module committed memory space of the new load address generated and the new process
Size before the module for loading the new process, further includes:
Remove the data that module binding imports in table makes module loading described in the binding input mechanism of disabled module
New load address.
Optionally, the module of the new process is primary module, and there are relocation tables in primary module;Or the new process
Module is system module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
Optionally, the module of the new process is primary module, and relocation table is not present in primary module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
By preassigned load address, it is determined as the new load address of the module of the new process.
Optionally, the module of the new process is system module:The method further includes:
According to the size of preassigned load address and the module committed memory space of the new process, fill accurate in advance
Standby jump instruction.
Optionally, further include:
Record the preassigned load address of all modules of the new process;
Capture the exception that the new process occurs;
Judge to whether there is the captured corresponding address of exception in recorded load address;
If it is present having prompted the user with flooding.
In order to achieve the above objectives, the embodiment of the invention discloses a kind of module loading devices, including:Detection unit, address
Generation unit and loading unit, wherein
The detection unit, for detecting whether there is new process initiation;
Described address generation unit, in the case where the detection unit has detected new process initiation, to institute
State new process module loaded according to preassigned load address before, according to pre-set address create-rule,
Generate the new load address of the module of the new process;
The loading unit, new load address and the new process for generating according to described address generation unit
The size in module committed memory space loads the module of the new process.
Optionally, further include:First judging unit,
First judging unit, for judging whether the new process is to need process to be protected;
Described address generation unit, is specifically used for:
The case where new process initiation and the first judging unit judging result are to be has been detected in the detection unit
Under, before the module to the new process is loaded according to preassigned load address, according to pre-set address
Create-rule generates the new load address of the module of the new process.
Optionally, first judging unit, is specifically used for:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If
Have, is then determined as the new process needing process to be protected.
Optionally, further include:Data dump unit,
The data dump unit is inputted for removing the data in module binding importing table with the binding of disabled module
Mechanism makes module loading to the new load address.
Optionally, the module of the new process is primary module, and there are relocation tables in primary module;Or the new process
Module is system module;
Described address generation unit, is specifically used for:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
Optionally, the module of the new process is primary module, and relocation table is not present in primary module;
Described address generation unit, is specifically used for:
By preassigned load address, it is determined as the new load address of the module of the new process.
Optionally, the module of the new process is system module:
Further include:Jump instruction fills unit,
The jump instruction fills unit, for being occupied according to the module of preassigned load address and the new process
The size of memory headroom fills pre-prepd jump instruction.
Optionally, further include:Recording unit, exception catching unit, second judgment unit and prompt unit, wherein
The recording unit, the preassigned load address of all modules for recording the new process;
The exception catching unit, the exception occurred for capturing the new process;
The second judgment unit whether there is the exception in the load address for judging the recording unit records
The corresponding address of exception that capturing unit captures;
The prompt unit, in the case where the second judgment unit judging result is to be, having prompted the user with
Flooding.
In order to achieve the above objectives, the embodiment of the invention discloses a kind of electronic equipment, including:Processor, memory, communication
Interface and bus;
The processor, the memory are connected by the bus with the communication interface and complete mutual lead to
Letter;
The memory stores executable program code;
The processor can perform to run with described by reading the executable program code stored in the memory
The corresponding program of program code, for executing any one module loading method that the embodiment of the present invention is provided.
As seen from the above technical solutions, an embodiment of the present invention provides a kind of module loading method and device, detection is
It is no to have new process initiation;If having detected new process initiation, to the module of the new process according to preassigned load
Before address is loaded, according to pre-set address create-rule, the new load address of the module of the new process is generated;
According to the size in the module committed memory space of the new load address and the new process that are generated, the new process is loaded
Module.The technical solution provided using the embodiment of the present invention, to the module of new process according to preassigned load address
Before being loaded, the new load address of the module of new process is just generated, by the module of new process according to the new load of generation
Address is loaded.Even if hacker obtains the new load address of module, it is also difficult to obtain the pre- of module by new load address
First specified load address, and then cannot be found by preassigned load address and be carried out suitable for the instruction segment of attack
Attack, improves the protection that computer attacks ROP, improves the safety of computer.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Obtain other attached drawings according to these attached drawings.
Fig. 1 is the first flow diagram of module loading method provided in an embodiment of the present invention;
Fig. 2 is second of flow diagram of module loading method provided in an embodiment of the present invention;
Fig. 3 is the third flow diagram of module loading method provided in an embodiment of the present invention;
Fig. 4 is the 4th kind of flow diagram of module loading method provided in an embodiment of the present invention;
Fig. 5 is the first structural schematic diagram of module loading device provided in an embodiment of the present invention;
Fig. 6 is second of structural schematic diagram of module loading device provided in an embodiment of the present invention;
Fig. 7 is the third structural schematic diagram of module loading device provided in an embodiment of the present invention;
Fig. 8 is the 4th kind of structural schematic diagram of module loading device provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts
Embodiment shall fall within the protection scope of the present invention.
Below by specific embodiment, the present invention is described in detail.
Fig. 1 is the first flow diagram of module loading method provided in an embodiment of the present invention, may include:
S101:It has detected whether new process initiation, if having detected new process initiation, has executed S102;
S102:Before the module to the new process is loaded according to preassigned load address, according to advance
The address create-rule of setting generates the new load address of the module of the new process;
S103:According to the size in the module committed memory space of the new load address and the new process that are generated, add
Carry the module of the new process.
Illustratively, it is illustrated by taking a process X of a certain browser as an example below.
Assuming that process X includes three modules, respectively module a, module b and module c.Preassigned module a's adds
Set address is:The load address of 00030000H, preassigned module b is:00040000H's, preassigned module c adds
Set address is:00050000H;
In practical applications, preassigned load address is also usually generally referred to by those skilled in the art as module suggestion base
Location suggests loading address, preferential loading address etc..
When detecting that process X starts, to the module a, module b and module c of process X according to preassigned load
Before location is loaded, according to pre-set address create-rule, the new load address of the module of the new process is generated.
Assuming that pre-set address create-rule is:100H is deviated on the basis of preassigned load address, then
The new load address of the module a of generation is:The new load address of 00030100H, the module b of generation is:00040100H is generated
The new load address of module c be:00050100H.
According to the new load address 00040100H of the new load address 00030100H of newly-generated module a, module b, mould
The new load address 00050100H and module a of block c, module b, module c difference committed memories space size, to module a,
Module b and module c are loaded.
In practical applications, the module of the new process is primary module, and there are relocation tables in primary module;Or it is described new
The module of process is system module;Address can be generated at random, using the address generated at random as the module of the new process
New load address.The new load address of the module generated at this time will be constrained no longer by the preassigned load address of module, and
And using the random method for generating address, increase the preassigned load address that hacker obtains module.
Illustratively, it is assumed that according to the random method for generating address, the new load address of generation module a is:
The new load address of 003514D0H, generation module b is:The new load address of 0054250CH, generation module c is:
0064578FH。
According to the new load address 0054250CH, module c of the new load address 003514D0H of the module a of generation, module b
New load address 0064578FH and module a, module b, module c difference committed memory space size, to module a, module
B and module c are loaded.
In practical applications, the module of the new process is primary module, and relocation table is not present in primary module;It can incite somebody to action
Preassigned load address is determined as the new load address of the module of the new process.
In practical applications, the new load address of Process part module can be generated, such as only generates the new of specified module
Load address;The new load address of all modules of process can also be generated, wherein including primary module and system module.Generate into
In the case of the new load address of Cheng Suoyou modules so that hacker also can not construct ROP using primary module and/or system module
It is attacked.
In practical applications, in the case where the module of new process is system module, can also be added according to preassigned
The size in the module committed memory space of set address and the new process, fills pre-prepd jump instruction, specifically, to rising
The memory headroom that beginning address is the preassigned load address of module, space size is module committed memory space size carries out Shen
Please;Addition JMP instructions at all overall situation functions (function for not supporting reorientation), execute JMP and refer in the modules of process
Enable so that all overall situation functions in modules jump to load the module memory headroom in continue to execute, ensure into
The normal operation of journey.
It should be noted that above-mentioned illustrate by taking the process X of a certain browser as an example, only of the invention one is specific real
Example, does not constitute limitation of the invention.
Using embodiment illustrated in fig. 1 of the present invention, add according to preassigned load address in the module to new process
Before load, just generate the new load address of the module of new process, by the module of new process according to generation new load address into
Row load.Even if hacker obtains the new load address of module, it is also difficult to obtain preassigning for module by new load address
Load address, and then cannot by preassigned load address find suitable for attack instruction segment attacked,
The protection that computer attacks ROP is improved, the safety of computer is improved.
Fig. 2 is second of flow diagram of module loading method provided in an embodiment of the present invention, real shown in Fig. 2 of the present invention
On the basis of applying example embodiment shown in Fig. 1, increase S104:Judge whether the new process is to need process to be protected.
Specifically, judging whether the new process is to need process to be protected, it can be determined that pre-stored process configuration
Whether with the new process corresponding information has been recorded in information table;If so, then the new process is determined as needing to protect
Process.
Illustratively, it is illustrated by taking a process X of a certain browser as an example below.
Before process X calling system functions MiMapViewOfImageSection mapping mirror memories, Hook skills are utilized
Art adds the program segment for handling message in the module of process X, is called by system, which is linked into system.Often
When specific message is sent out, before no arrival purpose window, which just first captures the message, that is, the program segment first obtains
To control.At this moment the program segment can be to the message working process.
Assuming that pre-stored process configuration information table stores 5 relevant information of process (such as process title, process
ID number etc.), 5 processes are respectively process M, process N, process A, process X, process F;The message captured using Hook technologies
For the title X of new process;Judge to whether there is information corresponding with process X, judging result in pre-stored configuration information table
It is yes, then is determined as process X needing process to be protected.
It should be noted that above-mentioned illustrate by taking the process X of a certain browser as an example, only of the invention one is specific real
Example, does not constitute limitation of the invention.
Using embodiment illustrated in fig. 2 of the present invention, randomization only is carried out to the address for needing the module of process to be protected,
Avoid the appearance of compatibility issue caused by the module randomization possibility to all processes.
Fig. 3 is the third flow diagram of module loading method provided in an embodiment of the present invention, real shown in Fig. 3 of the present invention
It applies and increases S105 on the basis of example embodiment shown in Fig. 1:The data that module binding imports in table are removed, with tying up for disabled module
Determine input mechanism, makes module loading to the new load address.
Using embodiment illustrated in fig. 3 of the present invention, the data in module binding importing table are removed, are avoided module loading
The appearance of the problem of to preassigned load address.
Fig. 4 is the 4th kind of flow diagram of module loading method provided in an embodiment of the present invention, real shown in Fig. 4 of the present invention
It applies and increases following four step on the basis of example embodiment shown in Fig. 1;
S106:Record the preassigned load address of all modules of the new process;
S107:Capture the exception that the new process occurs;
S108:Judge to whether there is the captured corresponding address of exception in recorded load address;If so, holding
Row S109;
S109:Flooding is prompted the user with.
Illustratively, it is illustrated by taking a process X of a certain browser as an example below.
Assuming that process X includes three modules, respectively module a, module b and module c.Preassigned module a's adds
Set address is:The load address of 00030000H, preassigned module b is:00040000H's, preassigned module c adds
Set address is:00050000H;
Specifically, Hook technologies can be utilized to add the preassigned load address for logging modle in process X
And the program segment of the function of capture process exception;All modules in current process are traversed, and preassigned to modules
Load address is recorded;After the module of process X is loaded according to the new load address of generation, start the exception occurred to process
It is captured;
Assuming that the corresponding address of the exception captured is 0005425FH, judge to whether there is in the load address of record
0005425FH, judging result are no, then have not prompted the user with flooding;
Assuming that the corresponding address of the exception captured is 00040000H, judge to whether there is in the load address of record
00040000H, judging result are yes, then have prompted the user with flooding.
It should be noted that above-mentioned illustrate by taking the process X of a certain browser as an example, only of the invention one is specific real
Example, does not constitute limitation of the invention.
Using embodiment illustrated in fig. 4 of the present invention, user can be made to have known whether that hacker attacks system, Jin Eryong
Family can make system further protection.
Corresponding with above-mentioned embodiment of the method, the embodiment of the present invention also provides a kind of module loading device
Fig. 5 is the first structural schematic diagram of module loading device provided in an embodiment of the present invention, may include:Detection is single
Member 201, scalar/vector 202 and loading unit 203, wherein
Detection unit 201, for detecting whether there is new process initiation;
Scalar/vector 202, in the case where detection unit 201 has detected new process initiation, to described
It is raw according to pre-set address create-rule before the module of new process is loaded according to preassigned load address
At the new load address of the module of the new process;
In practical applications, the module of the new process can be primary module, and there are relocation tables in primary module;It is described
The module of new process can also be system module;Scalar/vector 202 shown in the embodiment of the present invention, specifically can be used for:
In the case where detection unit 201 has detected new process initiation, to the module of the new process according to advance
Before specified load address is loaded, address is generated at random, using the address generated at random as the module of the new process
New load address.
In practical applications, the module of the new process can be primary module, and relocation table is not present in primary module;This
Scalar/vector 202 shown in inventive embodiments, specifically can be used for:
In the case where detection unit 201 has detected new process initiation, to the module of the new process according to advance
Before specified load address is loaded, by preassigned load address, it is determined as the new of the module of the new process and adds
Set address.
Loading unit 203, the mould of new load address and the new process for being generated according to scalar/vector 202
The size in block committed memory space loads the module of the new process.
In the case where the module of the new process is system module, can also include:Jump instruction fills unit is (in figure
It is not shown),
Jump instruction fills unit, for the module committed memory according to preassigned load address and the new process
The size in space fills pre-prepd jump instruction.
Using embodiment illustrated in fig. 5 of the present invention, add according to preassigned load address in the module to new process
Before load, just generate the new load address of the module of new process, by the module of new process according to generation new load address into
Row load.Even if hacker obtains the new load address of module, it is also difficult to obtain preassigning for module by new load address
Load address, and then cannot by preassigned load address find suitable for attack instruction segment attacked,
The protection that computer attacks ROP is improved, the safety of computer is improved.
Fig. 6 is second of structural schematic diagram of module loading device provided in an embodiment of the present invention, real shown in Fig. 6 of the present invention
It applies and increases on the basis of example embodiment shown in Fig. 5:First judging unit 204, wherein
First judging unit 204, for judging whether the new process is to need process to be protected;
The first judging unit 204, specifically can be used for shown in the embodiment of the present invention:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If
Have, is then determined as the new process needing process to be protected.
Scalar/vector 202 shown in the embodiment of the present invention, specifically can be used for:
Detect that new process initiation and 204 judging result of the first judging unit are yes in the detection unit 201
In the case of, before the module to the new process is loaded according to preassigned load address, according to pre-setting
Address create-rule, generate the new load address of the module of the new process.
Using embodiment illustrated in fig. 6 of the present invention, randomization only is carried out to the address for needing the module of process to be protected,
Avoid the appearance of compatibility issue caused by the module randomization possibility to all processes.
Fig. 7 is the third structural schematic diagram of module loading device provided in an embodiment of the present invention, real shown in Fig. 7 of the present invention
It applies and increases on the basis of example embodiment shown in Fig. 5:Data dump unit 205, wherein
Data dump unit 205 inputs machine for removing the data in module binding importing table with the binding of disabled module
System, makes module loading to the new load address.
Using embodiment illustrated in fig. 7 of the present invention, the data in module binding importing table are removed, are avoided module loading
The appearance of the problem of to preassigned load address.
Fig. 8 is the 4th kind of structural schematic diagram of module loading device provided in an embodiment of the present invention, real shown in Fig. 8 of the present invention
It applies and increases on the basis of example embodiment shown in Fig. 5:Recording unit 206, exception catching unit 207,208 and of second judgment unit
Prompt unit 209, wherein
Recording unit 206, the preassigned load address of all modules for recording the new process;
Exception catching unit 207, the exception occurred for capturing the new process;
Second judgment unit 208, for judge recording unit 206 record load address in whether there is exception catching list
The corresponding address of exception that member 207 captures;
Prompt unit 209, in the case where 208 judging result of second judgment unit is to be, having prompted the user with excessive
Go out attack.
In practical applications, the recording unit 206 of the embodiment of the present invention, exception catching unit 207, second judgment unit
208 and prompt unit 209 can also increase on the basis of embodiment and embodiment illustrated in fig. 7 shown in Fig. 6.
Using embodiment illustrated in fig. 8 of the present invention, user can be made to have known whether that hacker attacks system, Jin Eryong
Family can make system further protection.
In addition, the embodiment of the present invention additionally provides a kind of electronic equipment, may include:
Processor, memory, communication interface and bus;
The processor, the memory are connected by the bus with the communication interface and complete mutual lead to
Letter;
The memory stores executable program code;
The processor can perform to run with described by reading the executable program code stored in the memory
The corresponding program of program code, for executing the module loading method that the embodiment of the present application is provided;Wherein, the application is implemented
The module loading method that is there is provided of example may include:
New process initiation is detected whether;
If having detected new process initiation, carried out according to preassigned load address in the module to the new process
Before load, according to pre-set address create-rule, the new load address of the module of the new process is generated;
According to the size in the module committed memory space of the new load address and the new process that are generated, described in load
The module of new process.
Wherein, the new load ground of the module of the new process is generated according to pre-set address create-rule described
Before location, can also include:
Judge whether the new process is to need process to be protected;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, it can be with
Including:
In the case where the new process is to need process to be protected, according to pre-set address create-rule, generate
The new load address of the module of the new process.
Wherein, described to judge whether the new process is to need process to be protected, may include:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If
Have, is then determined as the new process needing process to be protected.
Wherein, described according to the big of the module committed memory space of the new load address generated and the new process
It is small, before the module for loading the new process, can also include:
Remove the data that module binding imports in table makes module loading described in the binding input mechanism of disabled module
New load address.
Wherein, the module of the new process is primary module, and there are relocation tables in primary module;Or the mould of the new process
Block is system module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, it can be with
Including:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
Wherein, the module of the new process is primary module, and relocation table is not present in primary module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, it can be with
Including:
By preassigned load address, it is determined as the new load address of the module of the new process.
Wherein, the module of the new process is system module:The method can also include:
According to the size of preassigned load address and the module committed memory space of the new process, fill accurate in advance
Standby jump instruction.
Wherein, can also include:
Record the preassigned load address of all modules of the new process;
Capture the exception that the new process occurs;
Judge to whether there is the captured corresponding address of exception in recorded load address;
If it is present having prompted the user with flooding.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, identical similar portion between each embodiment
Point just to refer each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality
For applying example, since it is substantially similar to the method embodiment, so description is fairly simple, related place is referring to embodiment of the method
Part explanation.
One of ordinary skill in the art will appreciate that all or part of step in realization above method embodiment is can
It is completed with instructing relevant hardware by program, the program can be stored in computer read/write memory medium,
The storage medium designated herein obtained, such as:ROM/RAM, magnetic disc, CD etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (15)
1. a kind of module loading method, which is characterized in that including:
New process initiation is detected whether;
If having detected new process initiation, loaded according to preassigned load address in the module to the new process
Before, according to pre-set address create-rule, the new load address of the module of the new process is generated;
The data that module binding imports in table are removed, with the binding input mechanism of disabled module, module loading are made newly to add to described
Set address;
According to the size in the module committed memory space of the new load address and the new process that are generated, load it is described newly into
The module of journey.
2. according to the method described in claim 1, it is characterized in that, described according to pre-set address create-rule, life
Before new load address at the module of the new process, further include:
Judge whether the new process is to need process to be protected;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
In the case where the new process is to need process to be protected, according to pre-set address create-rule, described in generation
The new load address of the module of new process.
3. according to the method described in claim 2, it is characterized in that, it is described judge the new process whether be need it is to be protected into
Journey, including:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If so, then
The new process is determined as to need process to be protected.
4. according to the method described in claim 1, it is characterized in that, the module of the new process is primary module, and in primary module
There are relocation tables;Or the module of the new process is system module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
5. according to the method described in claim 1, it is characterized in that, the module of the new process is primary module, and in primary module
There is no relocation tables;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
By preassigned load address, it is determined as the new load address of the module of the new process.
6. according to the method described in claim 4, it is characterized in that, the module of the new process is system module:The method
Further include:
According to the size of preassigned load address and the module committed memory space of the new process, filling is pre-prepd
Jump instruction.
7. the method according to claim 1, which is characterized in that further include:
Record the preassigned load address of all modules of the new process;
Capture the exception that the new process occurs;
Judge to whether there is the captured corresponding address of exception in recorded load address;
If it is present having prompted the user with flooding.
8. a kind of module loading device, which is characterized in that including:Detection unit, scalar/vector, data dump unit and add
Carrier unit, wherein
The detection unit, for detecting whether there is new process initiation;
Described address generation unit, in the case where the detection unit has detected new process initiation, to described new
Before the module of process is loaded according to preassigned load address, according to pre-set address create-rule, generate
The new load address of the module of the new process;
The data dump unit, for removing the data in module binding importing table, with the binding input mechanism of disabled module,
Make module loading to the new load address;
The loading unit, the module of new load address and the new process for being generated according to described address generation unit
The size in committed memory space loads the module of the new process.
9. device according to claim 8, which is characterized in that further include:First judging unit,
First judging unit, for judging whether the new process is to need process to be protected;
Described address generation unit, is specifically used for:
In the case where the detection unit has detected that new process initiation and the first judging unit judging result are to be,
Before the module to the new process is loaded according to preassigned load address, generated according to pre-set address
Rule generates the new load address of the module of the new process.
10. device according to claim 8, which is characterized in that first judging unit is specifically used for:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If so, then
The new process is determined as to need process to be protected.
11. device according to claim 8, which is characterized in that the module of the new process is primary module, and in primary module
There are relocation tables;Or the module of the new process is system module;
Described address generation unit, is specifically used for:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
12. device according to claim 8, which is characterized in that the module of the new process is primary module, and in primary module
There is no relocation tables;
Described address generation unit, is specifically used for:
By preassigned load address, it is determined as the new load address of the module of the new process.
13. according to the devices described in claim 11, which is characterized in that the module of the new process is system module:
Further include:Jump instruction fills unit,
The jump instruction fills unit, for the module committed memory according to preassigned load address and the new process
The size in space fills pre-prepd jump instruction.
14. device according to claim 8, which is characterized in that further include:Recording unit, exception catching unit, second are sentenced
Disconnected unit and prompt unit, wherein
The recording unit, the preassigned load address of all modules for recording the new process;
The exception catching unit, the exception occurred for capturing the new process;
The second judgment unit whether there is the exception catching in the load address for judging the recording unit records
The corresponding address of exception that elements capture arrives;
The prompt unit, in the case where the second judgment unit judging result is to be, having prompted the user with spilling
Attack.
15. a kind of electronic equipment, which is characterized in that including:Processor, memory, communication interface and bus;
The processor, the memory are connected by the bus with the communication interface and complete mutual communication;
The memory stores executable program code;
The processor is run and the executable program by reading the executable program code stored in the memory
The corresponding program of code requires the module loading method described in 1 to 7 any one for perform claim.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510544043.0A CN105205400B (en) | 2015-08-28 | 2015-08-28 | Module loading method and device and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510544043.0A CN105205400B (en) | 2015-08-28 | 2015-08-28 | Module loading method and device and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105205400A CN105205400A (en) | 2015-12-30 |
CN105205400B true CN105205400B (en) | 2018-10-16 |
Family
ID=54953074
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510544043.0A Active CN105205400B (en) | 2015-08-28 | 2015-08-28 | Module loading method and device and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105205400B (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101315655A (en) * | 2008-07-01 | 2008-12-03 | 华为技术有限公司 | Method and apparatus for preventing overflow attack of buffer area |
CN102831339A (en) * | 2012-07-19 | 2012-12-19 | 北京奇虎科技有限公司 | Method, device and browser for protecting webpage against malicious attack |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9218490B2 (en) * | 2011-12-30 | 2015-12-22 | Intel Corporation | Using a trusted platform module for boot policy and secure firmware |
-
2015
- 2015-08-28 CN CN201510544043.0A patent/CN105205400B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101315655A (en) * | 2008-07-01 | 2008-12-03 | 华为技术有限公司 | Method and apparatus for preventing overflow attack of buffer area |
CN102831339A (en) * | 2012-07-19 | 2012-12-19 | 北京奇虎科技有限公司 | Method, device and browser for protecting webpage against malicious attack |
Also Published As
Publication number | Publication date |
---|---|
CN105205400A (en) | 2015-12-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105589657A (en) | Method and device for realizing mounting of mobile storage | |
CN104166621B (en) | A kind of data processing method and device | |
CN103500116A (en) | Method and system for clearing data generated by application program | |
CN107423369A (en) | A kind of method and device for handling file to be deleted | |
CN104361285A (en) | Method and device for detecting security of application programs of mobile devices | |
CN108170438A (en) | A kind of application program automatic installation method, terminal and computer-readable medium | |
CN105991415A (en) | Message pushing method and mobile terminal | |
CN104750575A (en) | Restoring method and device for mobile terminal operating system | |
US20090271449A1 (en) | Work support apparatus for information processing device | |
CN110413577A (en) | Data-erasure method, device, electronic equipment and computer readable storage medium | |
CN106503065A (en) | The method and system of data transfer | |
CN102222189A (en) | Method for protecting operating system | |
CN105205400B (en) | Module loading method and device and electronic equipment | |
CN105229658A (en) | The safety feature of data handling system and safety method | |
CN104765631B (en) | A kind of application recovery method and device of mobile terminal | |
CN107203417B (en) | Data cleaning method, related device and electronic equipment | |
CN106484449A (en) | A kind of application management method and device | |
CN105740098A (en) | Determination method and system for stale data among backup data | |
CN104412274B (en) | Portable terminal and control method | |
CN104298548A (en) | Information processing method and electronic device | |
CN111538994A (en) | System security detection and repair method, device, storage medium and terminal | |
CN104615387B (en) | Mobile unit and its design method based on XPE systems | |
CN106203121A (en) | Method and device for preventing malicious modification of kernel address and terminal | |
CN106250992A (en) | Task processing method in a kind of mobile electronic device and device | |
CN103942043B (en) | A kind of method and device for managing mobile terminal desktop icon |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20181214 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |